saeeddxb
asked on
Risk Analysis
What is a generic risk tool for business ? And how can some one design it for a business ? and is there any formula , equation or way of solving it ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First write up some Requirements
Then, the most generic handler I've found is called brain-storming. Collect a handful of reasonably knowledgeable people, an expert is ok, then just make up stuff, even silly (get loose, sillier is better) and have one member nominated to write it up on board for all to see. Nominate person a neat title, like "facilitator", keep 'em happy (to write, cheer, cajole, entice). After an hour or so, with board full of 'what could go wrong', take quick break, come back and have people talk about what was written up, circle the more reasonable ones, and make some sense of it that can be placed into list of probabilities, priorities, and type of risk. Use low/high for simplicity.
Equations are more applicable to repetitions for prior work.
One method I don't like, is dumping off quality control to consumer market. This includes MTBF for HW such as disk drives, which really sounds like a match for formula, but in practice is termed inefficient for business purposes (marketing, time to market).
Then, the most generic handler I've found is called brain-storming. Collect a handful of reasonably knowledgeable people, an expert is ok, then just make up stuff, even silly (get loose, sillier is better) and have one member nominated to write it up on board for all to see. Nominate person a neat title, like "facilitator", keep 'em happy (to write, cheer, cajole, entice). After an hour or so, with board full of 'what could go wrong', take quick break, come back and have people talk about what was written up, circle the more reasonable ones, and make some sense of it that can be placed into list of probabilities, priorities, and type of risk. Use low/high for simplicity.
Equations are more applicable to repetitions for prior work.
One method I don't like, is dumping off quality control to consumer market. This includes MTBF for HW such as disk drives, which really sounds like a match for formula, but in practice is termed inefficient for business purposes (marketing, time to market).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
NETWORK WORLD NEWSLETTER: M. E. KABAY on
SECURITY
04/03/02
Today's focus: Web-enabled risk analysis
By M.E. Kabay
My good friend and colleague Robert Jacobson recently released his time-tested Cost-of-Risk Analysis tool in a Web-based format. CORA-Web prioritizes the risk exposures of a facility and identifies the most cost-effective mitigation strategy to make best use of available resources.
In the process, it builds a solid business case for risk management recommendations. CORA-Web fully supports the Business Impact Analysis process defined in the draft NIST Special Publication 800-34, "Contingency Planning Guide for Information Technology Systems":
http://csrc.nist.gov/publications/drafts/ITcontingency-planning-guideline.pdf
A recent Deloitte & Touche study of e-businesses disclosed that no respondents were using risk analysis tools to guide risk management decisions: http://www.isaca.org/ecomm.htm
"This is easy to understand," said William Murray, senior
researcher on the study, "because until recently there have
been no efficient, realistic tools. On the other hand, these
are decisions where the use of intuition can result in very
expensive error. An efficient tool can easily cover its own
cost."
"I have found CORA and its predecessor IST products to be
powerful analytical tools for understanding security issues and
managing risks," said Lynn McNulty, head of security
consultants McNulty and Associates and former associate
director for computer security at the National Institute of
Standards and Technology.
While serving as director of information systems security for
the Federal Aviation Administration, McNulty used these tools
to analyze an air route traffic control center. "This was the
first quantitative risk analysis of an ARTCC," he said. "CORA
makes it easy for an enterprise to quantify and manage all of
its risks, and CORA-Web will make it easy for a team to
collaborate on a project."
According to Jacobson, open-ended questionnaires have
limitations that are overcome by CORA-Web's quantitative model
of risk, which focuses attention on the specific details of the
risk environment needed to make prudent management decisions.
Each user defines exactly which risk factors to include in a
risk analysis, and employs the results to evaluate the
cost/performance of a full range of risk mitigation, risk
transfer, and risk recovery measures.
The application service provider Dynamic Access Systems is
hosting CORA-Web. CEO Alan Duncan said, "As an ASP, we put
great emphasis on risk management to ensure that we achieve the
service levels that our clients expect of us. CORA makes it
easy to analyze our risks, particularly threats that can cause
service interruptions, and to choose the optimum risk
mitigation strategies. The CORA analysis of the DynAccSys ASP
systems has made a very strong contribution to our marketing
and sales promotion."
For more information about CORA and CORA-Web, see Jacobson's
Web site at: http://www.ist-usa.com/
* * *
Disclaimer: I have no financial interest whatever in CORA or
in International Security Technology, Inc. Because I have not
yet evaluated the software, this column should not be construed
as an endorsement.
__________________________
To contact M. E. Kabay:
M. E. Kabay, PhD, CISSP is Associate Professor in the
Department of Computer Information Systems at Norwich
University in Northfield, Vt. Mich can be reached by e-mail at
mailto:mkabay@compuserve.c
information security and operations management courses and
consulting services. For papers and course materials on
information technology, security and management, visit his Web
site at http://www2.norwich.edu/mkabay/index.htm
__________________________
SECURITY
04/03/02
Today's focus: Web-enabled risk analysis
By M.E. Kabay
My good friend and colleague Robert Jacobson recently released his time-tested Cost-of-Risk Analysis tool in a Web-based format. CORA-Web prioritizes the risk exposures of a facility and identifies the most cost-effective mitigation strategy to make best use of available resources.
In the process, it builds a solid business case for risk management recommendations. CORA-Web fully supports the Business Impact Analysis process defined in the draft NIST Special Publication 800-34, "Contingency Planning Guide for Information Technology Systems":
http://csrc.nist.gov/publications/drafts/ITcontingency-planning-guideline.pdf
A recent Deloitte & Touche study of e-businesses disclosed that no respondents were using risk analysis tools to guide risk management decisions: http://www.isaca.org/ecomm.htm
"This is easy to understand," said William Murray, senior
researcher on the study, "because until recently there have
been no efficient, realistic tools. On the other hand, these
are decisions where the use of intuition can result in very
expensive error. An efficient tool can easily cover its own
cost."
"I have found CORA and its predecessor IST products to be
powerful analytical tools for understanding security issues and
managing risks," said Lynn McNulty, head of security
consultants McNulty and Associates and former associate
director for computer security at the National Institute of
Standards and Technology.
While serving as director of information systems security for
the Federal Aviation Administration, McNulty used these tools
to analyze an air route traffic control center. "This was the
first quantitative risk analysis of an ARTCC," he said. "CORA
makes it easy for an enterprise to quantify and manage all of
its risks, and CORA-Web will make it easy for a team to
collaborate on a project."
According to Jacobson, open-ended questionnaires have
limitations that are overcome by CORA-Web's quantitative model
of risk, which focuses attention on the specific details of the
risk environment needed to make prudent management decisions.
Each user defines exactly which risk factors to include in a
risk analysis, and employs the results to evaluate the
cost/performance of a full range of risk mitigation, risk
transfer, and risk recovery measures.
The application service provider Dynamic Access Systems is
hosting CORA-Web. CEO Alan Duncan said, "As an ASP, we put
great emphasis on risk management to ensure that we achieve the
service levels that our clients expect of us. CORA makes it
easy to analyze our risks, particularly threats that can cause
service interruptions, and to choose the optimum risk
mitigation strategies. The CORA analysis of the DynAccSys ASP
systems has made a very strong contribution to our marketing
and sales promotion."
For more information about CORA and CORA-Web, see Jacobson's
Web site at: http://www.ist-usa.com/
* * *
Disclaimer: I have no financial interest whatever in CORA or
in International Security Technology, Inc. Because I have not
yet evaluated the software, this column should not be construed
as an endorsement.
__________________________
To contact M. E. Kabay:
M. E. Kabay, PhD, CISSP is Associate Professor in the
Department of Computer Information Systems at Norwich
University in Northfield, Vt. Mich can be reached by e-mail at
mailto:mkabay@compuserve.c
information security and operations management courses and
consulting services. For papers and course materials on
information technology, security and management, visit his Web
site at http://www2.norwich.edu/mkabay/index.htm
__________________________
http://www.ist-usa.com/aboutcoraweb.htm :
The CORA-Webä "Sixty-Day Solution"
What do you need to do?
Go beyond a simplistic Business Impact Analysis to a full quantitative evaluation of measures to reduce e-business service interruptions, and generate an ROI analysis of each possible strategy.
Build a solid business case for a specific business continuity measure, e.g. remote data copy, on-site diesel generator set, redundant electric service, etc.
Make a credible budget line item for risk losses!
Quantify risk exposures and generate a Frequency-Consequence Plot automatically.
Evaluate the ROI of insurance policies.
Determine the optimum business recovery strategy and Recovery Time Objective (RTO).
Select from several alternative security solutions.
Identify risk exposures that can safely be ignored.
Help is at hand. CORA-Webä is a powerful risk management decision support system that can resolve risk management requirements like these examples.
The CORA-Webä "Sixty-Day Solution"
What do you need to do?
Go beyond a simplistic Business Impact Analysis to a full quantitative evaluation of measures to reduce e-business service interruptions, and generate an ROI analysis of each possible strategy.
Build a solid business case for a specific business continuity measure, e.g. remote data copy, on-site diesel generator set, redundant electric service, etc.
Make a credible budget line item for risk losses!
Quantify risk exposures and generate a Frequency-Consequence Plot automatically.
Evaluate the ROI of insurance policies.
Determine the optimum business recovery strategy and Recovery Time Objective (RTO).
Select from several alternative security solutions.
Identify risk exposures that can safely be ignored.
Help is at hand. CORA-Webä is a powerful risk management decision support system that can resolve risk management requirements like these examples.
Risk analysis for any business involves freezing some parameters, ignoring others, and not even knowing about the most important ones, which probably do not exist at the time the analysis is done.
I had some experience with exponential smoothing and realized it was being pushed in a market forecasting area where it did not fit, because actual quantities were far below those assumed in the development of exponential smoothing theory. An "old timer" could do better with his traditional "seat of the pants" method.
In another instance I was asked to review equations developed by the operations research staff. Several pages into the analysis I found significant mathematical errors.
At a seminar where that operations research team went up against the marketing manager, it was brought out that he, consistently, did as well, again with "seat of the pants" methods, as the highly trained operations research people did with their fancy mathematics.
"Experience is the best teacher".
I had some experience with exponential smoothing and realized it was being pushed in a market forecasting area where it did not fit, because actual quantities were far below those assumed in the development of exponential smoothing theory. An "old timer" could do better with his traditional "seat of the pants" method.
In another instance I was asked to review equations developed by the operations research staff. Several pages into the analysis I found significant mathematical errors.
At a seminar where that operations research team went up against the marketing manager, it was brought out that he, consistently, did as well, again with "seat of the pants" methods, as the highly trained operations research people did with their fancy mathematics.
"Experience is the best teacher".
Hey people,
No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts Split between SunBow and FlamingSword.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Zenlion420
EE Page Editor
No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts Split between SunBow and FlamingSword.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Zenlion420
EE Page Editor
If it can go wrong: it will,
And it is likely to fail when you can least afford it
Thus: Contingency Planning
(see also: backup)